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M0CRANDUM FOR: Chief, Audit Staff, OIG 


FROM: 


SUBJECT: 


Thcmas B. Yale 
Director of Finance 

Report of Audit of the Office of Data Processing 
as of 30 June 1978 


1. The position of the Office of Finance is not to adopt the audit 
recaaaemdation as stated in paragraphs S3, 34, and 35 of subject audit 
report. Our position is based on the propriety of obligations as they 
relate to the establishment of liabilities that far exceed authorized 
budgets. In as ranch as this Agency's appropriation is governed by one 
year money we feel the establishment of liabilities covering in setae 
instances contracts encompassing a period of six years is not sound. 

The wording used within the contracts in question. Alternate Purchase Plans 
(AFP) further draws attention to the questionable propriety. These contracts 
are written giving the Agency many escapes with wording such as "No funds are 
currently legally obligated." "....subject to the availability funds....," 
"No legal liability on the part of the Goverment for payment of any money 
in excess of that amount currently obligated shall arise unless and until 

funds are made available to the contracting officer " It should be 

noted, we have no problem with the implied ownership and in fact the APP 
contracts acknowledge that throughout the period of the agreements or until 
all equipment is returned all risk and cost of ownership shall be on the 
Agency. The very words "or until all equipment is returned" isplles owner- 
ship remains with the vendor until we have paid in full. What we do fail 
to see Is how the adoption of the audit recommendation strengthens the 
Agency financial picture or In fact provides better property accountability 
controls. As a matter of Interest we have checked with our counterparts 
in other agencies to determine how they treat such contracts . Each advised 
they do not capitalize assets and establish liabilities when they implement 
similar contracts. Air Force, for example, uses one year 0$M money and they 
too feel that to set up liabilities extending beyond authorized obligation 
authorities is suspect. 

2. The GAO report "Accounting for Automatic Data Processing Costs 
Need Improvement" B- 115369 dated 7 February 1978, acknowledges that the 
reason for capitalizing the purchase price of Automatic Data Processing 
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MEMORANDUM FOR: 
THROUGH : 


Director of Finance 
Inspector General 



SUBJECT 


, Audit Staff, OIG 


Report of Audit of the Office of 
Data Processing as of 30 June 1978(S) 


1. (U) Paragraph 3 below contains a request for your 

action. 


2. (U) The following paragraphs are extracted from 

subject Report of Audit: 


’Agency Assets and Liabilities Understated 


33. (S) The general ledger account 1723, Property in 
Use-Other, values ODP property at $10.8 million. However, the 
eventual total cost of owned equipment currently in the two 

25X1A computer centers will be ^^^Jmillion. The discrepancy between 
the actual value of ov/ne^equipment and the amount currently 
shown in the general ledgers is due to the current policy of 
not recording the cost of equipment until it is completely 
paid for. 

25x1 A 

34. (S) The Agency has alternate annual payment contracts 
jj^^^th^^]0^ern^tional Business Machines Corporation (IBM), 
MjWBSPWWli H and several third party leasing firms for 

the purchase of seven large computer systems. These contracts 
25X1 A total ^■million and are to be paid over a multi-year 
25X1APsriod. To date million has been paid on these 

contracts. 


35. (S) Whether these contracts are viewed as a lease 
with intent to purchase or as an outright purchase with time 
payments they should be recorded in the accounting system. The 
General Accounting Office's 'Policy And Procedures Manual For 
Guidance to Federal Agencies Title II Accounting' (August 
1972), gives the following guidelines for property acquired 
under lease-purchase arrangements: 

E2 IMPDET 

a BY 010572 
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The total cost shall be capitalized when the property 
is accepted from the contractor or when the option to 
purchase equipment is exercised, rather than period- 
ically as payments are made or when title passes to 
the Government' . 


The cost of property acquired under lease-purchase 
contracts, which in substance represent installment 
purchasing, should include the purchase price under 
the contracts and related costs incurred by the 
Government' . 


The purchase price included in lease-purchase contracts 
tor property, which are in substance installment 
purchases..,, shall be recorded as a liability when the 
property is accepted from the contractor or when the 
option to purchase equipment is exercised. Such a 
liability shall be reduced by periodic payments.' 


?! f ° r alternate annual payment contracts the option 

o purchase has been exercised at contract signing even though 
payments are spread out over a period of time. In a separate 

acHo^ 0111 t0 D * rector of Finance, we are requesting 

th< 7 Purchase price of the contracts discussed 

q DOV r CD 1" tn i 1 1 i n -u ^ ■■ 


c ^ w at. c ui su ussea 

. . million in the appropriate general ledqer 

to capitalize the assets. The remaining liability of 

BBB 111111011 due the contractors should also be recorded in 
an appropriate general ledger account* 1 


3. (U) We request that action be taken to record the 
pf®®*® ll jf lllt i es , as di scussed in paragraph 2 above. 
Please advise the undersigned of action taken on this matter. 



25X1 A 
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MEMORANDUM FOR 

THROUGH 

FROM 

SUBJECT 


Director, Office of Data Processing 
Inspector General M/ 



ne 


udit Staff 


Report of Audit of Office of Data Processing 
as of 30 June 1978 (S) 


1. (U) Subject report is attached. Please advise 
this office of action taken on the recommendations con- 
tained in the report. 

2. (U) We appreciate the cooperation extended to 
the auditors during the audit. 


Attachment 

Distribution: 
Orig. - D/ODP 
dT - DDA 
1 - O/Compt 
1 - OIG 
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REPORT OP AUDIT 
Office of Data Processing 
as of 30 June 1978 


SUMMARY 


1. (A/IUO) The Office of Data Processing (ODP) generally 
is carrying out its assigned tasks and utilizing resources in 
an effective manner. Financial controls and procedures are 
generally effective and in compliance with applicable 
regulations. Since the last audit, ODP has developed computer 
systems which are better designed and more efficient to 
operate and maintain. User involvement has increased but has 
been neither uniform nor complete for all systems under 
development. We believe all major user offices should strive 
for ADP skills improvement and more participation with ODP in 
systems development for their offices. This report includes 
commments with recommendations where appropriate, concerning 
the following: 

- policy for minicomputers 

“ development of a written disaster recovery 
plan for the computer centers 

- storage of system software backup tapes and 
critical data bases at an offsite location 

“ strengthening existing and developing new 
technical security controls for several 
problem areas 

- employment of a full-time administrative 
assistant in the ODP Security Office 

- sanitizing 'scratch' tapes in the Special 
Center 

- reduction in frequency of tape library 
inventories 

- weaknesses in access procedures for the 
Ruffing Computer Center 


S E C R E T 
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provision yc more stringent controls over 
s dotage and distribution of users' computer 
outputs ' " 

- monitoring terminal usage 

- strengthening of controls in GIMS IX data 
bases 

- improvement in methods for recording time 
purchased hardware and establishing cost 
for systems development 

- strengthening of property controls and 
procedures. 


SCOPE 


25X1A 

( A/IUO) The audit was conducted under the authority of 
and included a review of procedures and controls 
exercised by ODP in the administration of its share of Aqency 
resources. The audit concentrated on: " 

- financial controls and procedures 

- logistical controls and procedures 

- administration of project development 
by Applications and Special Projects 
Staff 

- review of missions and procedures of 
the Ruffing and Special Computer Centers 

“ review of security procedures used in ODP 

~ policy on minicomputers. 



GENERAL 


3. (S) ODP provides centralized computer services to all 
components of the Agency. They operate two major computer 
centers: the Ruffing Center which serves most general users. 
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and the Special Center which serves only the ODpr^finnc 

usecs!° ra -Jhese nCi C °!; IIREX Autora ^ted Management System (CAMS) 

. ^^centers combined own equipment valued at 

millions 3 Th^Sii lli0n ' and leaSe ec I ui f™ ent valued in the 
P offlCG reviews and coordinates user offices' 
proposals for acquisitions of any computer equipment 

ceiling e of ■■« e Lco rV i- e K , -,° DP ' haS an authori ^^ personnel 
ceiling n. pjlsj to accomplish its mission. 


■25X1 A 


4. (S) ODP's operating 
summarized as follows; 


budget for Fiscal Year 1978 is 



Minicomputer Policy 


. . 5 * ( y itJ °) In January 1978 OOP formulated its policy for 
minicomputer use in OOP and, to the extent ODP can impact on 
m the Agency. ODP estimates the number of minicomputer 


it. 


applications are growing 


estimates 
at a rate 


of 30% per year. 


6 


j. -j . (A/IUO) In a 15 July 1977 paper to the Executive 

dvisory Group (EAG) titled 'Response to Key ADP Issue #3' 
ealing with the question of centralized versus decentralized 

S !V aCl ltl6S ? DP ide ntified the following advantages 
which make a decentralized approach attractive: 5 


- lower software development cost 
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if applications software already 
exists and is available from 
the equipment vendor 

l 

- data privacy for sensitive applications 

- faster response and possibly 
better availability and reliability. 

7. ( A/IUO) Data processing users have recognized these 
benefits and are seeking their own minicomputer facilities for 
a variety of applications. This decentralization of computer 
resources continues with limited Agency-wide coordination and 
planning. Such an approach risks failure to apply Agency ADP 
resources efficiently, tolerating inconsistent work standards 
and quality control, complicating training and maintenance 
requirements and reducing the interchangabil i ty of 
applications between processors. 

8 * (A/IUO) ODP recognizes this lack of central 
u^ enS ^ Ve P-*- ann i n 9 and has previously recommended to the 
LAG that ODP serve as the Agency's central source of technical 
support and guidance for the selection and maintenance of a 
standard minicomputer. ODP has formulated an office policy 
consistent with this recommendation to: 

- implement and support standard 
minicomputer hardware and 
software 

- use Agency standard terminals 
in the minicomputer system 
configurations 

- provide for minicomputers in their 
budget (Customers may be required 
to provide their own machine room 
or operators or personnel slots 
for ODP operators.). 

9. (A/IUO) Concurrent with the expansion of minicomputer 
capability ODP Management Staff plans to develop costs of 
batch and interactive central system service for use in 
comparing cost of ODP central service versus the cost of 
acquiring and operating an individual minicomputer in meeting 
the demands of a particular proposed application. 

10. (C) The ODP GIMINI Project is an attempt to identify 
minicomputer hardware and operating systems which can support 
GIMS II, the Agency's data base management system for large 
data bases. ODP plans to allow users with sensitive 
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applications, extremely high needs tor data privacv or 
response trme/availabil ity concerns to isolate teei? dlte^a^ 

a2clss n ’stoMqe Ut the SYStem ra i her than use the common direct 
storage the general GIMS user is provided The 

aS S ?L tWare C ° Uld be run both the large cenlril compute? 

application? lni o?S PUteir ' thus easln 9 transferability of 
Catl ° DP P re sently favors acquiring minicomputers 

need for^J” 9 ? ystems com P a tible with System 3 70 to avoid the 
system°t 0 e accomoda te°GIMS? *° n ° f thG oper.tSj 

(C) L , 0DP currently has 13 minicomputers: two for 

gapp? 9 s ** tcbin 9' one for the GIMINI project, one for the 

use in aP ?he C ?AD° n Svs?P Hos Pi tai i Z a tion/fnsurance , and nine for 
use in the TAD System. ODP requested authority to procure 

This e hardwa?e P wa erS t° f h a Standard desi 9 n in their FY80 budget, 
fhe be assigned to users applications where' 

standard JT S - :,usblfied * The intent was to then maintain one 

system and r 9 ^ minlCOmP r ter f ° r the deve lopment of the next 
. a nd main tenance of the current system. The procurement 
authority requested was rejected in the budget process This 
action, along with the rejection of two FY80 pete^tel stete 

h« !i® qu f sted , to devel °P a " d maintain these minicompute? 
has in effect stalled ODP's plans. We believe ODP developed 

manner We* fCn pollcles , ln a reasonable and responsible 
manner. We fully concur with ODP's position on this matter 

te?trS 1 of' :e ?S nUi ? n e 0£ the need £or c^ralited planning a?d 
control of the proliferation of minicomputer systems within 

controlled^qrowth 6 „ f im ?° rtanCe »f .an Agency "apprla^'te 
efficient a L S ? f minicom P^rs is most important in the 
efficient and effective management of these vital resources. 

mnn-l 2 '-; (A/IU0) The De Puty Director of Central Intelligence 
(DDCI) m a memorandum dated 26 July 1978, to Fxecutive 
Advisory Group (BAG) members set forth Agency policy with 
respect to continuing BAG involvement in the management of 
gency ADP resources. This memorandum provides for BAG to in 

^ Un Se“?ftea t lY t ? reVie “ ° f the 

ulte'of ADP X ? CUS attentlon ° n the Proposed functional 

ADP and on ma lor ADP investments. We believe ODP's 
plan for an Agency minicomputer policy is of such timeliness 
and importance that it should be considered by the BAG. 

RECOMMENDATION # 1 : Present ODP's minicomputer 
support plan to the BAG for its consideration 
within the framework of the annual review as 
directed in the DDCI meomorandum cited above. 
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Provisions for a Disaster Plan 


13 ‘ T ^ e Purpose of a disaster plan is to minimize 

U n i service interruption in an emergency 

situation. Currently ODP does not have a written 
disaster plan. Engineering Division has the 

responsibility for recovering from a disaster, 
primarily a technical approach i.e. replacement of 
cables, and physical plant. The area that requires 
fK ten * 10n the identification of applications critical to 
the Agency s missions. Areas such as alternatives to 
processing by computer and what can be run on non-Aqency 
computers should be investigated. 


or tested 
general 
This is 
hardware , 
extens ive 


14. (A/IUO) The complete spectrum of ADP requirements 
needs to be reviewed and prioritized. The results should then 
be matched against the Agency's capability to provide these 
services in the event of a disaster to one or both computer 
centers. Alternative processing sites should be identified 
and the entire disaster recovery plan should be maintained in 
a current status and tested periodically to validate its 
effectiveness . 


RECOMMENDATION #2: Review and prioritize the 
Agency's emergency ADP requirements and develop 
a written disaster recovery plan that adquately 
provides support in the event of a disaster. 

Also provide for current maintenance and periodic 
testing of the plan after development. 


Offsite Storage Requirement 


15. (S) Backup copies of ODP system software and critical 
data bases i.e. CAMS are not stored at an offsite location. 
One can reason that equipment can be eventually replaced but 
system software and databases that are destroyed without 
backup provisions could be lost forever. Storing both the 
working and backup copies in the same area does not provide 
adequate safeguards against potential catastrophe. The most 
common measure taken to provide records backup is to store 
copies in an offsite location* 


16. (S) Once the backup program is established, it is 
essential to maintain and test it. Having a test team solve 
actual operational problems using the stored vital records 
will assure management the program does work. 
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RECOMMENDATION *3: Store system software backup 
tapes and copies of critical data bases in the 

and/or exchange 

etween the two computer centers. The 
stored backup records and programs should also be 
currently maintained and periodically tested to 
determine their operational readiness. 


Technical Security 


1 (?) 0DP identified a list of potential security 

problems with a majority of these items still unresolved. A 
partial listing of these items are: 

- a 'Who are You' identification code to 
determine if proper authorization has 
been obtained before allowing access to 
data on VM, GIMS, and COMTEN 

- 2 Tapes (other government agency tapes) are 
released without controls to assure that the 
receiving person is authorized to receive 
the tape and that the tape does not contain 
data other than the users 

- residual data remains on disk data sets when 
released thereby becoming accessible to the 
next user 

“ unauthorized users can, by learning data set 
names, access data sets other than their own 

- no controls over Systems and Applications 
programmers to prevent fraudulent or other 
misuses of systems and data bases 

listings containing systems dumps are removed 
from the computer center without a formal 
determination being made of the classification 
of the data listed 

- no audit trails of abortive attempts to link 
to M-Disk or logon (sic) the systems 

- inadequate security control over the printing of 
classified data on remote printers in customers 
locations . 


" r 
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18. (A/IUO) Also, there are some other 
internal controls need to be str engthened : 


areas 


where 


- during the evening shift in the Special Center 
and the weekend shifts in the Ruffing Center 
the computer operators have access to the tape 
library and can remove and use tapes without 
recording their use 

- no scheduled rotational/segregated duties 

exist in the centers i.e. operators are 1 

used as library and point workers during 

the same shift 


- when systems and applications software is 

modified there is little detailed documentation 
of the steps used during testing and/or the 
authorization for the changes; additionally 
there is no documented evaluation of the 
potential side effects of the changes on 
the operating environment 

“ there is inadequate compliance with the 
procedures for security classification 
labelling on data outputs from VM and 
Batch. 


Because of the sensitive nature of the data processed in the 
Agency, stringent security controls are essential. These 
controls, if they are to be effective, may be difficult to 

implement and prove to be encumbering to those who must work 
within them. 


^ ^ ^ ^ There are several alternatives to be considered 
in strengthening controls in the areas mentioned. They range 
from accelerated polygraphing of key personnel to a thorough 
an effective control package which may be operationally 
restrictive. The ODP security officer should address the 
se ^ rit y implications in these areas and determine if there is 
If I after evaluation, the need is apparent ODP and 
the Office of Security (OS) should concentrate the required 
resources to bring these areas under better control. 


RECOMMENDATION #4; Determine methods for better 
controls in the areas mentioned. Coordinate 
this study with the Office of Security. 
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. ur \ 1*“^ Gbp and the Office of Security in May 1977 
established an ODP/OS Working Group to identify, oversee, and 

G £ ecoramendat -L° ns to resolve these technical security 

t^re‘isn't e a e full J 686 ? r ° blemG stU1 Persist partly because 
lsr ? fc f full-time team or individual to actively pursue 
snd resolve these identified areas , 

21. (C) The current OOP Security Officer (SO) is 

requirement^ 1 ^°^ ■ - With day to da ^ adminstritive 
guirement^, ie. ootaming access indicators to the computer 

leaies S little n i tlal - Zin ? °? P . related security clearances. ? This 
leaves little time for technical security problems* 

wpr . 22 ' I*:} GDP stated during the previous audit that they 

This has nn l ul OCeSB of 1 ob t a ining a full-time technical SO. 
increases accomplished. The justifications given were 

- ODP personnel and applications 

- project sensitivity 

- complexity of the operating environment 

- compartmentation. 

The obtaining of this SO was resubmitted for the FY00 budget. 

s S ° cr , W f S re 3^cted as part of the budget process. The 
current SO has a part-time ODP admins trative assistant to 
handle some of the paperwork. Converting this part-time 
position to full-time would allow the SO to devote more of his 
efforts to technically related computer security problems. 

RECOMMENDATION #5: Consider converting the current 
part-time adminstative assistant to a full-time 
position. in addition, formally request technical 
security assistance from the Office of Security to 
assure proper attention to these technical security 
problems. y 


Release of Scratch Tapes 


to Cu f rant1 ^ special Center magnetic tapes released 
to scratch status (tapes made available to another user), 
are not sanitized The data left on the tapes by the previous 

1S Tn P ?r ^ ly a ^ ailable to next person using that 
tape. In the Ruffing Center 'scratch' tapes are sanitized via 
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the Data Erase process. Data Erase tapes do not have to be 
reinitialized (internal labeling) which requires compute? 
operator assistance. The Data Erase process reduces the 

?Xet bU Y -° f e * posure of data to unauthorized users. It 
a ?h r °J 11 F?^ ely tW ° t0 threG minutes to Data Erase one 
wh??h ? Uff t ng ,^ enter is on the Tape Management System 

Sa?ed ?hp 1V S .identifies the magnetic tapes to be Data 
Erased. The Special Center tape library will soon bn 

With ?HS ly reqSlIuM d tl t e ? pe Mana9eraent Systera (TMS). 

i , regulating the flow of tapes to be 'scratched' and 
I!?® relatively short time it takes to Data Erase, the 

minimal 100 ° ^ llhrar *' £ operating routine should be 


RECOMMENDATION #6: Use Data Erase to sanitize all 
magnetic tapes that are to be used as 'scratch' 
tapes in the Special Center. 


Inventory of Tape Library 

in the 4 * Pu f f f no V^nf 100 ^ i '? ventoc y is d one every three months 
v n fing CentGr and every two months in the Special 

re so Ivina ° th Cente , rs have exceptional records of 

tha? ^ dls ? repancies that do rarely occur we suggested 

lihraH^ Th nUal inventory would be adequate for both tape 
libraries. This would each year save approximately 200 hours 

su hoisted"^ af ?° th b participants. 6 !? “as 

,_ h gg . bat adg participants and the center manager siqn 

th? no? n ?° rY ? GI110 t0 add credib ility to this document? During 
7 nVent ° ry m ° nths the librarian should continul 
identifying overdue tapes for ODP Security Officer 

p?o?Id??e?° n * B ° th Centers have agreed to implement the above 


Access to Computer Centers 


( y iU0 ] 0DP recen tly obtained additional Headquarters 
and c f ° r - thG planned collocation of the ’points' (user oickup 
nd servicing areas). Estimates for the date of the 
relocation ranged from late FY79 through FY81 to not at all. 
recommendations in the next three paragraphs are intended 

ofbhe ^ v Until the final location and configuration 

of the 'point' has been determined. 
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26. Curin': jr review of the centers we observed a 

large nun of personnel entering the Ruffing Center. The 
number of non-Ruff ing Center personnel with 'E* access 

,1 indicators seems to be excessive. ('E' indicators are for the 

Ruffing Center and 1 B ' indicators are for the Special Center), 
f e Practice of granting access by component rather 

than by individuals daily need is questionable. Both computer 
centers managers stated that they have begun reviewing the 
individuals' requirements for access. The Special Center has, 
>5X1 A y their review, uidentif ied^^^people who no longer need 

5X1A automatic access , of which have already had their 

indicators removed. The Ruffing Center should identify those 

who no longer need automatic access and submit their names to 
the ODP Security Officer for removal of their 'E* indicators. 
Personnel with infrequent need can use a no escort badge, 
effectively reducing the amount of casual traffic in the 
center. 


RECOMMENDATION #7: Continue to review the need 
for 'E' Ruffing Center access indicators for non- 
center personnel and expand the usage of no escort 
badges for infrequent users. 


27. (C) Access to the Ruffing Center is monitored by the 
person manning the tape reception area. This individual has 
other duties which makes it difficult to visually monitor the 
doors at all times. To improve the situation ODP has 
rearranged the furniture to block the direct path to the 
computer room. This is a step in the right direction but an 
enhancement to this control is to install a remotely activated 
gate. This gate would require individuals entering to be 
visually observed and their need for access established. Once 
admitted past the gate they would have access to the work area 
of the 'point', library and computer room. This would permit 
the center's personnel to do their job without exitinq the 
controlled area. 


RECOMMENDATION #8: Install a remotely controlled 
access gate in the Ruffing Center 'point' area to 
limit unchallenged entry to the computer room. 


. 28 * 0DP is in the process of investigating different 
devices to provide a secure user pickup and data control. The 
eading candidate thus far is a badge operated mailbox system. 
The coded Agency badges would restrict an individual's access 
to predetermined mailboxes. However, this secure mailbox 
system is not planned for implementation until the new 'point' 
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has been a ted . Currently ODP 
sheets f-- each users listing, 
when he picks up his output, 
knowledge of who is authorized 
or even if the tear off sheets 

badged personnel can ask for listings fro™ almost any output 
bin and receive them regardless of whether he has the 
authorization to receive such information. The Ruffing Center 
typically collects one box of tear off sheets each day and 


is using as a control tear off 
The user supposedly signs them 
The 'point' personnel have no 
to receive particular outputs 
were signed by the user. Any 


for storage in archives, 
tear off sheets was to 


then forwards these sheets to 
The intended purpose of haviTg 

control who picks up the output by having an ODP operator 
confirm that each listing is signed for. Due to the volume 
plus the operator's regular duties this has not been 
effectively or efficiently done. To date there have been no 
requests from the users to recall any of these sheets to 
determine who received a listing. 


RECOMMENDATION #9: Establish more stringent 
controls over users receipt of data from the 
'point' in the Ruffing Center. 


Monitoring Terminal Usage 


29. ( A/IUO) We observed that some users were signing on 
to terminals but were not using them for periods of over a 
half hour. This inefficient usage could prevent other users 
from accessing the systems due to the limited number of 
terminals which can be signed on simultaneously. Allowing a 
terminal to be signed on but not in use could be a security 

risk, potentially permitting unauthorized users access to the 
systems. 


3 ?* J ( /IU0) En 9 lnee fmg Division (ED) prepares a computer 
generated report of terminal usage, primarily used to optimize 
the system configuration. ED can provide these reports to 
determine which terminals are not effectively being used. We 
provided the ODP Security Officer with this information. 


RECOMMENDATION #10: Provide terminal usage 
reports to appropriate ODP management person- 
nel for monitoring efficiency and security 
of terminal usage. 
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Improved Controls in Giins-II Data Bases 


31. ( A/lUO ) In one instance we found an inadequately 
tested change to a GIMS-II production data base causing loss 
of data intregity. In an attempt to prevent another occurence 
of the problem we discussed with appropriate ODP personnel the 
need for user approval of system changes to assure data base 
integrity. 

32. (A/IUO) ODP Data Access Center (DAC) personnel are 
now in the process of establishing procedures to control 
changes to GIMS-II production data bases. Included in these 
procedures will be requirements for; 

- testing or reviewing test results by the users' 

Data Base Manager 

- written notification from the ODP Application's 
Project Manager to the DAC of any change to the 
GIMS-II production data base 

- written document from the DAC to the user and the 
Application's Project Manager when the change 

is installed 

- documentation of all changes catalogued in the 
Central Library of Production Division 

- documentation of emergency changes within 48 hours. 

These procedures will also help avoid unapproved changes and 
make the customer more cognizant of the impact of changes on 
the system. ODP can continue their efforts to assure data and 
processing integrity in all systems they develop or maintain 
by strictly enforcing these procedures. 


RECOMMENDATION #11; Complete development 
and implement procedures to control systems 
changes. 


Agency Assets and Liabilities Understated 


33. (S) The general ledger accou nt 1723, Property in 

Use-Other, values ODP property at ^^^million. However, the 
eventual total cost of owned equipment currently in the two 
computer centers will be^^^H million. The discrepancy between 


SECRET 

Approved For Release 2001/08/14: CIA- 


RDP81 -001 42R0001 00030003-8 


13 


125X1 A 


25X1A 
25X1 A 


25X1A 
25X1 A 


Approved Fo 



lease 2001/08/14 : CIA-RDP81 -00141 

S E C K t T 


00100030003-8 


the actual value of owned equipment and the 
shown in the general ledgers is due to the 
not recording the cost of equipment until 
paid for. 


amount currently 
current policy of 
it is completely 


• (S) The Agency has alternate annual payment contracts 
with the Internat ional Business Machines Corporation (IBM), 

and several third party leasing firms for 

ot seven large computer systems. These contracts 
are to be paid over a multi-year 
date million has been paid on these 


le pu rchase 
total pmi 
period. To 
contracts . 


35. (S) Whether these contracts are viewed as a lease 

t0 i PU f?u Se ° r aS an . out right purchase with time 
payments they should be recorded in the accounting system. The 
General Accounting Office's 'Policy And Procedures Manual For 
t0 Federal Agencies Title II Accounting' (August 
iy/2), gives the following guidelines for property acquired 
under lease-purchase arrangements: 


The total cost shall be capitalized when the property 
is accepted from the contractor or when the option to 
purchase equipment is exercised, rather than period- 
ically as payments are made or when title passes to 
the Government' . 


xhe cost of property acquired under lease-purchase 
contracts, which in substance represent installment 
purchasing, should^ include the purchase price under 
the contracts and related costs incurred by the 
Government'. 


The purchase price included in lease-purchase contracts 
for property, which are in substance installment 
purchases..., shall be recorded as a liability when the 
property is accepted from the contractor or when the 
option to purchase equipment is exercised. Such a 
liability shall be reduced by periodic payments.' 


We believe for alternate annual payment contracts the option 
to purchase has been exercised at contract signing even thouqh 
payments are spread out over a period of time. In a separate 
memorandum to the Director of Finance, we are requesting 
action to record the purchase price of the contracts discussed 


above for 


million 


^ in the appropriate general ledqer 

account to capitalize the assets. The remaining liability of 

■■■ii milllon due the contractors should also be recorded in 
an appropriate general ledger account. 
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Identify ADP Se >.ce and System Development Costs 


36. (U) There is increasing Office of Management and 
Budget (0MB) and Congressional interest in the management and 
use of ADP resources. A recent report to the Congress by the 
Comptroller General, 'Accounting for Automatic Data Processing 
Costs Needs Improvement' (February 1978), states; 


'It is essential to keep costs accurately for data 
processing systems and organizations, as in any 
other department. Reliable cost data is practically 
indispensable in making sound decisions on whether 
to get needed services through procurement from 
commercial sources or to perform them in-house. 1 

The report goes on to explain the benefits of cost data: 


'With good cost accounting and reporting, management 
can have complete and consistent cost information 
quickly and economically. This should enable them 

to: 


- compare costs among organizations, activities, 
operations, and projects; 

- make informed investment decisions by: 

(1) estimates of the cost of implementing 
proposals for new systems and facilities, 

(2) preparation of cost-benefit analysis, and 

(3) cost comparisons with commercial and othe 
alternatives; 

- establish the cost of work done and measure 
productivity; 

- measure the cost of performance of responsible 
officials; 

- make end users and top management conscious of 
the cost of data processing systems and 

servi ces ; 

- provide the accounting basis for proper 
charging of appropriation, allotment, and 
program accounts as well as the billing for 
intra- and interagency services; and 
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-provide the accounting basis for budget 
justifications and reports to Congress, OMB, 
GSA, and the public on the cost, custody, 
and use of the automatic data processing 
resources entrusted to them. 1 

37. (U) ODP provides a complete range of data processing 

services, from helping users collect requirements to 
processing and maintaining applications after implementation. 
ODP distributes the Project Activity Report (PAR) to inform 
customer management of the value of services used each month. 
The value or cost of ADP services allocated to a project are 
based on computer usage and ODP man-hours. This report is 
also used by ODP management to respond to requests from the 
EAG, OMB, and other oversight committees. Knowing the value 
of ODP services is of interest to users who track and control 
the growth of their use of ADP resources. But the PAR is 

misleading when used to report project costs to the OMB or 

congressional committees. Computer usage costs are calculated 
using 1972 unit cost statistics. Also, the customer's 
man-hour and some contractor costs are not included in project 
costs. 

38. (U) A recent GAO publication, 'Illustrative 

Accounting Procedures for Federal Agencies' (1978), recommends 
the capitalization of major ADP systems and applications 
systems whose acquisition or development costs in excess of 
$100,000. The acquisition or development costs should 

include: 


- The price of purchased software and the estimated 
useful value of software obtained by other means, 
including the cost for preoperation modifications, 
conversions, testing, and documentation. 

- Salaries and benefits for agency staff and 
compensation of contractors and other Government 
personnel for developing new software and modify- 
ing software obtained through other means. This 
would include expenses for analysis, design, 
programming, documentation, testing, and conversion. 

It would also include expenses for preparing the 
computer operating instructions, user procedures 
manual and other documentation. 

- Computer operating costs for testing, debugging, 
and parallel processing. 

39. (U) This same GAO report published the results of a 
survey of 26 Federal organizations providing data processing 
services. Twelve of the 26 capitalized their hardware, and 
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ten of these capitalized their owned operating software. None 
of the organizations surveyed capitalized their owned 
applications software. 

40. (S) During 1977 ODP presented 21 major application 
systems to the EAC for review. ODP estimated development and 
operating costs for these systems would consume over $42 
million in ODP resources. These estimates do not identify 
accurately ODP development costs nor do they include the 
users' costs. Information about expenditures of this 
magnitude/ particularly when requested by oversight 
committees/ must be accurate and timely. At this time, we do 
not recommend capitalization of operating or applications 
software; however we do believe cost accounting procedures 
must be developed to identify the cost of these systems as if 
they were to be capitalized. ODP has initiated an internal 
office requirement to study this problem and obtain outside 
contractors assistance in upgrading their current cost system. 


RECOMMENDATION #12: Continue efforts to update cost 
accounting procedures to accurately and completely 
identify the current cost of ADP computer systems 
software . 


Property Procedures 


41. (A/IUO) A complete physical inventory of Type II 
Property has not been conducted since 30 June 1975. A partial 
inventory was taken at the time the current Logistics Officer 
assumed accountability on 19 July 1976. Existing Consolidated 
Memoranda of Receipt are two or more years out of date and no 
longer reflect the current physical disposition of ODP 
property particularly office equipment. ODP has begun an 
intensive effort to revise and correct ODP property accounting 
procedures. They have requested and received Office of 
Logistics agreement to provide assistance to jointly solve 
their property accounting problems. 


RECOMMENDATION #13: Continue the coordinated 
effort with the Office of Logistics to jointly 
solve ODP 1 s property accounting problems. In- 
sure that a complete physical inventory is 
conducted in accordance with Doc- 

ument any descrepancies revealed as a result of 
the inventory as prescribed by the regulations. 
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42. (A/XUO) Recording of Type II Property transactions in 
many instances lags too far behind actual receipt of the 
property. Part of the problem lies in the delay in forwarding 
receiving reports from the Support Staff to the Logistics 
Officer. In addition, the Logistics Officer is not always 
recording documents on a timely basis. 


RECOMMENDATION #14: Take actions required to 
assure recording of Type II Property transactions 
on a more timely basis. 

43. ( A/IUO ) Duplicate automated and manual systems exist 
to record financial and technical information about hardware. 
Support Staff enters puchase prices or the monthly rental 
payment amount into both Engineering Division's Engineering 
Management Information System (EMIS) and into their own 
purchase, lease and maintenance contract files. In addition. 
Environment and Configuration Management Branch maintains a 
manual file of utility and technical requirements of each 
hardware item. Supporting redundant data bases consumes 
resources and delays information flow between all participants 
in equipment transactions. Inconsistencies exist between 
systems. 


RECOMMENDATION #15: Determine the present capa- 
bility of EMIS to serve as a central data base 
for all hardware transactions, both engineering 
and financial. Identify the information needs 
of various components and determine whether EMIS 
can be enhanced to the point where it satisfies 
the needs identified. If EMIS is enhanced research 
and verify to supporting documentation any missing 
data. Consider recording ODP's office equipment 
on the data base in addition to currently listed 
major hardware items. 


44. (C) The Budget and Finance group of Management Staff 
is not able to validate the balance of their unliquidated 
obligations. The Encumbrance Activity Report continues to 
show as open requisitions those which have been filled and 
paid by the Agency. This problem arises outside of ODP's 
control and is likewise a problem for other offices. We will 
address the issue further in our audit of the Office of 
Logistics. 
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Report of Audit of ODP 
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DD/A Registry 
File 3-3 




.cer/DDA 


DD/A 78- 3584/ 2 


Mr. May 

Director/ODP Danny: 

VIA TUBE j gjj sure y 0U recall seeing 

the Audit Staff Report request 
that Agency assets and liabili- 
ties in the ADP field should 
be recorded differently so as 
not to be understated. I re- 
call ashing you some tine ago 
if this gave you any trouble 
and you responded that it would 
not. 

To close the loop, I thought 
you night be interested in 
Tom Yale's response to the 
Audit Staff showing why a change 
in recording assets and liabili- 
ties should not be 



Att 

Distribution : 

Orig - Mr. May w/att 
1 - DDA Chrono 
- DDA Subj 
1 - RFZ Chrono 

E0/DDA;se 21 Nov 78 
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ROUTING AND RECORD SHEET 


SUBJECT; (Optionol) 


Re port of Audit of the Office of Data Processing as of 30 June 1978 

FROM: Thomas B. Yale [~ EXTENS,ON T%. 

Director of Finance — — 


1212 Key Bldg. 


TO; (Officer designation, room number, and 

building) 



DDA 

7D24 Headquarters 

2. 

/ 


r 

3. 


2 4 OCT 1378 


STATIN' 


forwarded 


OFFICER'S COMMENTS (Number each comment to show from whom 
INITIALS to whom. Draw a line across column after each comment.) 
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